Move ipset restore outside policy loop

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

pkg/controllers/netpol/policy.go

@@ -112,8 +112,7 @@ func (npc *NetworkPolicyController) syncNetworkPolicyChains(networkPoliciesInfo
 			}
 		}
 
-		for ipFamily, ipset := range npc.ipSetHandlers {
-			ipFamily := ipFamily
+		for ipFamily := range npc.ipSetHandlers {
 			// ensure there is a unique chain per network policy in filter table
 			policyChainName := networkPolicyChainName(policy.namespace, policy.name, version, ipFamily)
 
@@ -143,7 +142,11 @@ func (npc *NetworkPolicyController) syncNetworkPolicyChains(networkPoliciesInfo
 				}
 				activePolicyIPSets[targetSourcePodIPSetName] = true
 			}
+		}
+	}
 
+	for ipFamily, ipset := range npc.ipSetHandlers {
+		ipFamily := ipFamily
 		restoreStart := time.Now()
 		err := ipset.Restore()
 		restoreEndTime := time.Since(restoreStart)
@@ -164,7 +167,6 @@ func (npc *NetworkPolicyController) syncNetworkPolicyChains(networkPoliciesInfo
 			return nil, nil, fmt.Errorf("failed to perform ipset restore: %w", err)
 		}
 	}
-	}
 
 	klog.V(2).Infof("Iptables chains in the filter table are synchronized with the network policies.")